Discussion:
[AMaViS-user] dkim and internal header stripping
(too old to reply)
Robert Brooks
2008-06-10 10:38:31 UTC
Permalink
Mark,

I'd previously been stripping internal received headers from my emails
prior to sending out (a bit anal I know). This breaks dkim signatures,
any way of asking amavis not to sign received headers?

Regards,

Rob

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2008-06-10 12:15:11 UTC
Permalink
Rob,
Post by Robert Brooks
I'd previously been stripping internal received headers from my emails
prior to sending out (a bit anal I know). This breaks dkim signatures,
any way of asking amavis not to sign received headers?
$signed_header_fields{'received'} = 0;


Mark

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2008-06-10 12:59:36 UTC
Permalink
I'll add the following text to release notes:

An associative array %signed_header_fields controls which header fields
are to be signed. By default it contains a standard (RFC 4871) set of
header field names, augmented by some additional header field names
considered appropriate at the time of a release (RFC 4021, RFC 3834).
In addition a 'Sender' header field is excluded because it is frequently
replaced by a mailing list, and as the RFC 2821 mandates there can only
be one such header field the original one is dropped, invalidating a
signature. Also the 'To' and 'Cc' are excluded from a default set because
sendmail mailers are known to gratuitously reformat the list, invalidating
a signature.

The default set of header fields to be signed can be controlled
by setting %signed_header_fields elements to true (to sign) or
to false (not to sign). Keys must be in lowercase, e.g.:

$signed_header_fields{'received'} = 0; # turn off signing of Received
$signed_header_fields{'to'} = 1; # turn on signing of To


Mark

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Patrick Wong
2008-06-10 15:26:55 UTC
Permalink
I have a situation where altermime disclaimer insertion and amavis dkim
signing on outgoing mail begot result from gmail's dkim verification I
don't know what to make of:

Mail of mime type plaintext with plaintext disclaimer inserted through
altermime + dkim signing is OK when verified by gmail (dkim=pass)

But, when mime type is html and html disclaimer is used, I'll get
"dkim=neutral (body hash did not verify)" on gmail's authentication
result.


Is this to be expected?

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2008-06-11 14:19:06 UTC
Permalink
Patrick,
Post by Patrick Wong
I have a situation where altermime disclaimer insertion and amavis dkim
signing on outgoing mail begot result from gmail's dkim verification I
Mail of mime type plaintext with plaintext disclaimer inserted through
altermime + dkim signing is OK when verified by gmail (dkim=pass)
But, when mime type is html and html disclaimer is used, I'll get
"dkim=neutral (body hash did not verify)" on gmail's authentication
result.
Is this to be expected?
It was not supposed to happen, but there may be something wrong
with attaching disclaimers. I'll have to check...

Mark

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2008-06-12 18:01:34 UTC
Permalink
Post by Patrick Wong
I have a situation where altermime disclaimer insertion and amavis dkim
signing on outgoing mail begot result from gmail's dkim verification I
Mail of mime type plaintext with plaintext disclaimer inserted through
altermime + dkim signing is OK when verified by gmail (dkim=pass)
But, when mime type is html and html disclaimer is used, I'll get
"dkim=neutral (body hash did not verify)" on gmail's authentication
result.
I was able to reproduce the problem and I understand what is happening,
although I'm not sure which component is to blame.

When altermime is inserting a plain text disclaimer to a mail text
(as stored on a file on Unix, i.e. line endings are LF), it inserts
a text from a disclaimer file as-is, i.e. a disclaimer text along with
its LF line endings is directly inserted into a mail text, unmodified.
This works fine, message transfers unmodified and a signature is valid.

When altermime is inserting a '--disclaimer-html' into a html mail,
for some reason it inserts a CR before each LF of the inserted html text,
instead of copying it as-is from a disclaimer file! Here is an example
of the resulting message body:

Content-Type: text/html; charset="iso-8859-1"

<html><head><meta name="qrichtext" content="1" /></head><body
style="font-size:18pt;font-family:Bitstream Vera Sans Mono">
<p>testing</p>
<p><span style="font-style:italic">ital</span></p>
^M
<br>^M
<i>Disclaimer</i>^M
<p>one, two, three^M
<br>^M
</body></html>
--Boundary-01=_cBVUIiha08fkdho--

Amavisd then signs the resulting message, along with all the extra CR
in the disclaimer part of a html text, then sends it over SMTP to Postfix.
I confirmed that a signature is correct for the presented message,
and tcpdump confirms that the SMTP session still has a CR before each
end-of-line. As the SMTP protocol demands line endings to be CRLF,
the bytes sent are actually CR CRLF (0d 0d 0a):

62 72 3e 0d 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 br>...</body></h

When Postfix relays such a message, it strips off the extra CRs
(CR CR LF => CR LF) as confirmed by a tcpdump of a SMTP session
towards the next MTA. This modification of the message breaks
a DKIM signature.


Now, an easy finger-pointing tells me that altermime shouldn't
be inserting extra CRs in the HTML disclaimer part (like it
does correctly for the plain text disaclaimer).

Apart from the altermime's guilt, which is the next in line?
How should MTA and a DKIM-signer behave regarding bare-CR in
a mail body?

Mark

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Michael Scheidell
2008-06-13 11:21:35 UTC
Permalink
Organization: J. Stefan Institute
Date: Thu, 12 Jun 2008 20:01:34 +0200
Subject: Re: [AMaViS-user] dkim + altermime disclaimer
What version of altermine? The version is in ports now.
PORTVERSION= 0.3.8

(from altermime home page:
# Stable Releases (0.3.x series)
# July 13, 2007 - altermime-0.3.8.tar.gz

(and, yes, SOMETIMES I have seen it add the ^M, but not always. It depends
on something I can't reproduce in the .html files)
--
Michael Scheidell, CTO
|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2008-06-13 12:49:39 UTC
Permalink
Michael,
Post by Michael Scheidell
What version of altermine? The version is in ports now.
PORTVERSION= 0.3.8
# Stable Releases (0.3.x series)
# July 13, 2007 - altermime-0.3.8.tar.gz
(and, yes, SOMETIMES I have seen it add the ^M, but not always.
It depends on something I can't reproduce in the .html files)
Yes, the altermime 0.3.8 from ports is the one I was using in a test.

Mark

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Patrick Wong
2008-06-13 14:49:03 UTC
Permalink
For completeness, I posted my --disclaimer-html question and Mark's
response to Paul Daniels (author of alterMIME) asking for his help and
the followings were his reply:


Thanks for the email - you can let the AMaViS people know that I'll look
into that - alterMIME sometimes converts to \r\n terminators if it
thinks that the parent text body of the email contains \r\n terminated
lines, so somewhere it's getting a bit confused it would seem.

Regards,
Paul.


-----Original Message-----
From: amavis-user-***@lists.sourceforge.net
[mailto:amavis-user-***@lists.sourceforge.net] On Behalf Of Mark
Martinec
Sent: Thursday, June 12, 2008 2:02 PM
To: amavis-***@lists.sourceforge.net
Subject: Re: [AMaViS-user] dkim + altermime disclaimer
Post by Patrick Wong
I have a situation where altermime disclaimer insertion and amavis dkim
signing on outgoing mail begot result from gmail's dkim verification I
Mail of mime type plaintext with plaintext disclaimer inserted through
altermime + dkim signing is OK when verified by gmail (dkim=pass)
But, when mime type is html and html disclaimer is used, I'll get
"dkim=neutral (body hash did not verify)" on gmail's authentication
result.
I was able to reproduce the problem and I understand what is happening,
although I'm not sure which component is to blame.

When altermime is inserting a plain text disclaimer to a mail text
(as stored on a file on Unix, i.e. line endings are LF), it inserts
a text from a disclaimer file as-is, i.e. a disclaimer text along with
its LF line endings is directly inserted into a mail text, unmodified.
This works fine, message transfers unmodified and a signature is valid.

When altermime is inserting a '--disclaimer-html' into a html mail,
for some reason it inserts a CR before each LF of the inserted html
text,
instead of copying it as-is from a disclaimer file! Here is an example
of the resulting message body:

Content-Type: text/html; charset="iso-8859-1"

<html><head><meta name="qrichtext" content="1" /></head><body
style="font-size:18pt;font-family:Bitstream Vera Sans Mono">
<p>testing</p>
<p><span style="font-style:italic">ital</span></p>
^M
<br>^M
<i>Disclaimer</i>^M
<p>one, two, three^M
<br>^M
</body></html>
--Boundary-01=_cBVUIiha08fkdho--

Amavisd then signs the resulting message, along with all the extra CR
in the disclaimer part of a html text, then sends it over SMTP to
Postfix.
I confirmed that a signature is correct for the presented message,
and tcpdump confirms that the SMTP session still has a CR before each
end-of-line. As the SMTP protocol demands line endings to be CRLF,
the bytes sent are actually CR CRLF (0d 0d 0a):

62 72 3e 0d 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 br>...</body></h

When Postfix relays such a message, it strips off the extra CRs
(CR CR LF => CR LF) as confirmed by a tcpdump of a SMTP session
towards the next MTA. This modification of the message breaks
a DKIM signature.


Now, an easy finger-pointing tells me that altermime shouldn't
be inserting extra CRs in the HTML disclaimer part (like it
does correctly for the plain text disaclaimer).

Apart from the altermime's guilt, which is the next in line?
How should MTA and a DKIM-signer behave regarding bare-CR in
a mail body?

Mark

------------------------------------------------------------------------
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Loading...